[29288] in bugtraq
Re: QPopper 4.0.x buffer overflow vulnerability
daemon@ATHENA.MIT.EDU (Harald Hellmuth)
Thu Mar 13 13:00:29 2003
Date: Thu, 13 Mar 2003 08:12:47 +0100
From: Harald Hellmuth <hh@hostserver.de>
To: Randall Gellens <rg_public.1@flagg.qualcomm.com>,
bugtraq@securityfocus.com
Message-Id: <20030313081247.69fb2bd2.hh@hostserver.de>
In-Reply-To: <a06000b1eba9453b7f0cc@[129.46.74.134]>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
On Tue, 11 Mar 2003 19:05:51 -0800
Randall Gellens <rg_public.1@flagg.qualcomm.com> wrote:
> The first I heard of the problem was this morning. Was any notice
> sent to qpopper-bugs@qualcomm.com or qpopper-patches@qualcomm.com in
> advance of the posting here? If so, please let me know the details
> so I can see what happened to the message. If not, I'd like to know
> why.
>
> A fixed Qpopper (version 4.0.5fc2) is available now at
> <ftp://ftp.qualcomm.com/eudora/servers/unix/popper/beta/>. I plan on
> releasing 4.0.5 final tomorrow unless I hear of any problems with
> 4.0.5fc2.
>
> --
> Randall Gellens
> rg_public.1@flagg.qualcomm.com
> Opinions are personal; facts are suspect; I speak for myself only
Hello,
Yesterday(2003-03-12) I've sent the following email to qpopper-bugs@qualcomm.com:
------------------------------ snip ---------------------------------------
Dear Sir or Madam,
Florian Heinz posted an exploit to gain shell access through qpopper.
See http://nstx.dereference.de/snippets/qex.c.
The reason is an unterminated bufferstring in Qvsnprintf.
I looked at version 4.05fc2 and there is a change, but i think that
change isn't correct.
/* From File common/snprintf.c */
if ( nSize == 0 && *p != '\0' )
{
*s = '\0';
return -1;
}
else
return ( (n-1) - nSize );
/* when string that should be written to the buffer fits exactly,
* than there will no Zero-Byte be written to buffer, cause the for
* loop terminates when nSize is 0 and the terminating '\0' of p is not
* copied to buffer ;-(
*/
Ithink, it should be written as :
if ( nSize || *p=='\0')
{
*s++ = *p;
return ( (n-1) - nSize );
}
else{
*s++ = '\0';
return -1;
}
Please excuse my bad english.
regards
Harald Hellmuth
------------------------------ snap ---------------------------------------
with best regards
--
Harald Hellmuth
E-Mail: hh@hostserver.de
